Why Common Knowledge of Cyberattack Lifecycle is Wrong

There’s a traditional understanding of a cyberattack lifecycle that is attractive and reasonable – and now totally wrong.

It started with Lockheed Martin’s Cyber Kill Chain and evolved over time to look something like this:

Attackers do reconnaissance of their targets to find vulnerable areas.

They hack past defenses, trick users into installing malware, or use some other methods to get their foot in the door.

Communications are set up. For example, the malware calls out to a command and control center.

The attackers move laterally through the target’s systems.

The attackers find their target – such as a database of valuable information – and break in.

The attackers steal this data, corrupt the systems, or do some other damage.

This process makes intuitive sense to defenders and provides an action plan that cybersecurity professionals can follow. For example, if they can keep the attackers from moving laterally, or from establishing communications, or from exfiltrating the data, the whole attack can be stopped.